[Coco] OT: ISP SOS
lamune at doki-doki.net
Wed Jul 25 23:21:41 EDT 2007
Gene Heskett wrote:
> On Wednesday 25 July 2007, kevdig at hypersurf.com wrote:
>> I can't send outgoing mail. Mozilla 1.8 gives an SMTP connection refused
>> error (This was sent using one of those web mail things). My ISP suggested
>> I try:
>> telnet smtpauth.hypersurf.com 25
>> This gives:
>> telnet: connect to address 184.108.40.206: Network is unreachable
>> I can ping it. I am on dialup and both systems I tried are running Linux
>> 2.4.31 (PowerMac 8600 and Toshiba laptop). Other than nat and masquerade
>> there are no iptable rules/chains installed that I know of.
>> More disturbing, when I added a record <file> option to pppd and did:
>> telnet smtpauth.hypersurf.com
>> and then disconnected I saw some strange content from pppdump <file>:
>> rcvd "\00\00\00\00\00\00#\00\00\00\00\00\00\00#\00\00\00ALERT\00\00\00\00\00
>> \00\00\00\c2\00\00\00\00\00\00\00\c2\00\00\00 STOP! IMMEDIATE
>> ATTEN TI"
>> rcvd "ON REQUIRED\0a\0a Windows has found "
>> time 0.1s
>> rcvd "CRITICAL SYSTEM ERRORS.\0a\0a Download Registry Clean"
>> rcvd "er from: www.key32.com\0a\0aFAILURE TO ACT NOW MAY LEAD TO DATA LOSS
>> AN D CORRUPTION!\0a\0a\00\00\00\00\00\00\f7\a4~"
>> Any suggestions welcome. My ISP thinks my systems are screwed up?
> www.key32.com, IIRC is a virii site. He's right I believe.
> That is disturbing in that the signs all point to the machine being
> compromised, possibly by a botnet infection.
> First is to unplug the phone line so it can't do any more damage.
> Copy off anything personal to some other storage media, and re-install, then
> make sure the first thing is an update to the latest patches.
> Or switch to linux.
Yep, you've been hax0r3d.
Time to reinstall!
More information about the Coco